This module allows you to authenticate the users of your Catalyst application on underlaying webserver. The complete list of authentication method available via this module depends just on what your webserver (e.g. Apache, IIS, Lighttpd) is able to handle.

Besides the common methods like HTTP Basic and Digest authentication you can also use sophisticated ones like so called "integrated authentication" via NTLM or Kerberos (popular in corporate intranet applications running in Windows Active Directory environment) or even the SSL authentication when users authenticate themself using their client SSL certificates.

The main idea of this module is based on a fact that webserver passes the name of authenticated user into Catalyst application as REMOTE_USER variable (or in case of SSL client authentication in other variables like SSL_CLIENT_S_DN on Apache + mod_ssl) - from this point referenced as WEBUSER. This module simply takes this value - perfoms some optional checks (see below) - and if everything is OK the WEBUSER is declared as authenticated on Catalyst level. In fact this module does not perform any check for password or other credential; it simply believes the webserver that user was properly authenticated.

The classname used for Credential. This is part of Catalyst::Plugin::Authentication and is the method by which Catalyst::Authentication::Credential::Remote is loaded as the credential validator. For this module to be used, this must be set to 'Remote'.

source contains a name of a variable passed from webserver that contains the user identification.

Supported values: REMOTE_USER, SSL_CLIENT_*, CERT_*, AUTH_USER

BEWARE: Support for using different variables than REMOTE_USER does not work properly with Catalyst 5.8004 and before (if you want details see source code).

Note1: Apache + mod_ssl uses SSL_CLIENT_S_DN, SSL_CLIENT_S_DN_* etc. (has to be enabled by 'SSLOption +StdEnvVars') or you can also let Apache make a copy of this value into REMOTE_USER (Apache option 'SSLUserName SSL_CLIENT_S_DN').

Note2: Microsoft IIS uses CERT_SUBJECT, CERT_SERIALNUMBER etc. for storing info about client authenticated via SSL certificate. AUTH_USER on IIS seems to have the same value as REMOTE_USER (but there might be some differences I am not aware of).

If param cutname_regexp is specified we try to cut the final usename passed to Catalyst application as a substring from WEBUSER. This is useful for example in case of SSL authentication when WEBUSER looks like this 'CN=john, OU=Unit Name, O=Company, C=CZ' - from this format we can simply cut pure usename by cutname_regexp set to 'CN=(.*), OU=Unit Name, O=Company, C=CZ'.

Substring is always taken as '$1' regexp substring. If WEBUSER does not match cutname_regexp at all or if '$1' regexp substring is empty we pass the original WEBUSER value (without cutting) to Catalyst application.

The key name in the authinfo hash that the user's username is mapped into. This is useful for using a store which requires a specific unusual field name for the username. The username is additionally mapped onto the id key.

Instantiate a new Catalyst::Authentication::Credential::Remote object using the configuration hash provided in $config. In case of invalid value of any configuration parameter (e.g. invalid regular expression) throws an exception.

Takes the username form WEBUSER set by webserver, performs additional checks using optional allow_regexp/deny_regexp configuration params, optionaly takes substring from WEBUSER and the sets the resulting value as a Catalyst username.